[tor-bugs] #22460 [Core Tor/Tor]: Received a bad CERTS cell: Link certificate does not match TLS certificate

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 31 15:48:38 UTC 2017 

#22460: Received a bad CERTS cell: Link certificate does not match TLS certificate
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.3.1.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tor-relay certs handshake ed25519    |  Actual Points:
  needs-analysis 030-backport                    |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arma):

 Ok, I picked out a random 0.3.0.7 relay to investigate:
 {{{
 r NAVcoinKAction AMwQ/0JOq/Nc3H/asneNQUzzlaE BqKk6i3DDnYFzMbH1PrN1MEkCCM
 2017-05-31 04:44:34 193.233.60.159 443 80
 s Exit Fast Running Stable V2Dir Valid
 v Tor 0.3.0.7
 }}}

 moria1 is voting Running for it currently.

 There is one instance, in the past few weeks, of being unhappy with its
 certs:
 {{{
 May 26 18:05:31.511 [info] channel_tls_process_versions_cell(): Negotiated
 version 4 with 193.233.60.159:443; Sending cells: CERTS
 May 26 18:05:31.511 [info] channel_tls_process_certs_cell(): Received a
 bad CERTS cell from 193.233.60.159:443: Invalid certificate chain!
 }}}

 Whereas both earlier than that and later than that there are successes,
 e.g.:
 {{{
 May 26 18:15:08.709 [info] channel_tls_process_versions_cell(): Negotiated
 version 4 with 193.233.60.159:443; Sending cells: CERTS
 May 26 18:15:08.709 [info] connection_or_client_learned_peer_id(): learned
 peer id for 0x7fdacda3a6b0 (193.233.60.159):
 00CC10FF424EABF35CDC7FDAB2778D414CF395A1,
 K4sLttyh2+YfOPF/70MZGNTRQ+Iy6tYui/BdUYVs0ks
 May 26 18:15:08.709 [info] dirserv_orconn_tls_done(): Found router
 $00CC10FF424EABF35CDC7FDAB2778D414CF395A1~NAVcoinKAction at 193.233.60.159
 to be reachable at 193.233.60.159:443. Yay.
 May 26 18:15:08.709 [info] channel_tls_process_certs_cell(): Got some good
 certificates from 193.233.60.159:443: Authenticated it with RSA and
 Ed25519
 May 26 18:15:08.709 [info] channel_tls_process_auth_challenge_cell(): Got
 an AUTH_CHALLENGE cell from 193.233.60.159:443: Sending authentication
 type 3
 May 26 18:15:08.709 [info] channel_tls_process_netinfo_cell(): Got good
 NETINFO cell from 193.233.60.159:443; OR connection is now open, using
 protocol version 4. Its ID digest is
 00CC10FF424EABF35CDC7FDAB2778D414CF395A1. Our address is apparently
 128.31.0.34.
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22460#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list